With software being one of the most valuable assets in business today and DevOps in the driver's seat for software pipelines, CISOs are facing an array of challenges regarding their organizational security and integrity. The role and overall visibility of CISOs have continued to evolve because corporate security isn't just nice to have anymore — it's an integral part of the business, an imperative. This reality now puts CISOs in the unenviable position of quickly understanding and communicating how much risk their business is willing to accept, and getting teams to act accordingly.
Cultural Divisions = More Risk
As the appetite for software accelerates, and the sophistication of application security advances, everyone inside a company needs to be on the same page about their risk posture and how it affects ongoing security efforts. We already know this isn't happening. While DevOps has revolutionized software development in terms of speed, capability, and agility, developers and security teams simply don't share a common vision or unified goal on how to get software to market quickly and securely. Recent Ponemon research found developers see security as a bottleneck to innovation and speed, while security practitioners believe developers continue to prioritize delivery times over quality.
The technology is there, but cultural (and human) problems are slowing down the process. CISOs are challenged with figuring out a way to tailor security programs to customer needs and business goals by aligning business and security strategies. We already know that integrating security testing earlier in the software development life cycle (SDLC) can help mitigate risk, and it also makes developers much more productive. CISOs can help bridge the cultural divide by accomplishing their risk management objectives while simultaneously helping their development partners be more successful.
Digital Transformation Needs Scalability and Continuity
With digital transformation accelerating development cycles, security can't be considered a barrier to speed. Remember, cars have brakes so they can go fast! We need to ensure software can develop quickly too, protected by application security and not hindered by it. Unfortunately, a lot of security processes continue to be manual today. Testing tools deliver enormous data, all of which needs to be correlated and prioritized. These tasks take time, and CISOs are often dealing with more data than they have people to analyze it. To ensure their existing security governance frameworks, including tools, processes, and policies, can keep up, CISOs will need to continue building the bridge across the divide by empowering their development teams with the right resources and support.
To properly scale security, organizations need to decrease manual processes by embracing SDLC automation and continuous scanning. This results in faster remediation and better overall application security. Orchestration is important too. With proper orchestration, vulnerabilities are prioritized and refined for remediation. CISOs are key in creating this component of the "bridge" because processes like automation and orchestration can save developers time by consolidating units of work and converting findings into a language they understand.
The Present and Beyond
Building security into the SDLC helps create more visibility, but CISOs still need to stay on top of any serious threats on the horizon, even if they are largely unknown. The fallout from the pandemic remains to be seen, but it has already had a major impact on both security and development. The move to telework and use of even more cloud-based applications has significantly diminished the security of software applications. According to the same Ponemon research noted earlier, both security practitioners and developers lack confidence that teleworkers are complying with security and privacy requirements. In fact, only a third of both groups believe their organizations are effectively stopping or curtailing security compromises or exploits in software applications.
As the future continues to roll out unexpected turns, CISOs must maintain a close working relationship with the DevOps team and continue to seamlessly integrate security into the SDLC. Security becomes an afterthought or a periodic manual, nonrepeatable process if there isn't a collaborative relationship between teams.
This won't happen overnight, as it requires a significant cultural shift. Developers must buy into the notion that quality software hinges on built-in security at every phase of development, and see security as a necessity. When this happens, CISOs can feel more confident in answering the questions "am I secure?" and "is this application that I've brought to market secure?" because everyone has the same goals, is on the same page, and can quickly adapt to threats not yet known.